aa-tools

Artifact analysis tools by JPCERT/CC Analysis Center

apt17scan.py

Volatility plugin for detecting APT17 related malware and extracting its config

Article/Blog entry:
http://www.jpcert.or.jp/magazine/acreport-aptscan.html (Japanese)
http://blog.jpcert.or.jp/2015/11/a-volatility-plugin-created-for-detecting-malware-used-in-targeted-attacks.html (English)

emdivi_postdata_decoder.py

Python script for decoding Emdivi's post data

Article/Blog entry:
http://www.jpcert.or.jp/magazine/acreport-emdivi.html (Japanese)
http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html (English)

emdivi_string_decryptor.py

IDAPython script for decrypting strings inside Emdivi

Article/Blog entry:
http://www.jpcert.or.jp/magazine/acreport-emdivi.html (Japanese)
http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html (English)

Citadel Decryptor

Data decryption tool for Citadel

Article/Blog entry:
http://www.jpcert.or.jp/magazine/acreport-citadel.html (Japanese)
http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html (English)

adwind_string_decoder.py

Python script for decoding strings inside Adwind

Article/Blog entry:
https://www.jpcert.or.jp/magazine/acreport-adwind.html (Japanese)
http://blog.jpcert.or.jp/2016/05/decoding-obfuscated-strings-in-adwind.html (English)

impfuzzy

Impfuzzy is Fuzzy Hash calculated from import API of PE files

Article/Blog entry:
https://www.jpcert.or.jp/magazine/acreport-impfuzzy.html (Japanese)
http://blog.jpcert.or.jp/2016/05/classifying-mal-a988.html (English)

redleavesscan.py

Volatility plugin for detecting RedLeaves and extracting its config

Article/Blog entry:
https://www.jpcert.or.jp/magazine/acreport-redleaves2.html (Japanese)
http://blog.jpcert.or.jp/2017/05/volatility-plugin-for-detecting-redleaves-malware.html (English)